random passwords (was Re: Worm...)
J Greely
jgreely at cis.ohio-state.edu
Sun Nov 27 06:22:01 AEST 1988
In article <274 at aber-cs.UUCP> pcg at cs.aber.ac.uk writes:
>In article <13169 at ncoast.UUCP> allbery at ncoast.UUCP writes:
> A possible enhancement is to use phonemes instead of letters, thus
> increasing the chances of a pronounceable password. It could be combined
> with a phoneme-to-letter table which could randomly (or maybe not so
> randomly, depends on how much time I want to put in it) choose between
> alternative representations (f/ph, etc.) of a phoneme.
The posted version of this (pwgen, in comp.sources.misc, natch)
doesn't quite work. I sent the minor changes to Brandon. The
generated words sound nothing like English, but they *are*
pronouncable (mostly).
>As has been discussed at length and conclusively, generating by algorithm
>menmonic passwords is a very bad idea, because:
>[1] It restricts unconscionably the key space (usually to a few thousand
>or at best dozen thousand entries).
Well, after fixing the minor bugs in pwgen, I'm not terribly worried about
the key space:
% pwgen 9 500000 | sort | uniq | wc -l
482718
The percentage of unique passwords seems to drop at a fairly
constant rate as you raise the number generated, but at 500000 it's
still over 96%. It would require more testing to see just how many
unique strings it's capable of generating, but that's for another day.
>[2] If the algorithm used to generate the passwords get known, it can be
>used to obtain a complete list of all possibly passwords.
Naaah. The patch I sent to him suggested adding a switch to randomly
upcase letters, as well as replace letters with numbers ('l' -> '1',
'o' -> '0', etc). If 8-character passwords are chosen, modified by
these transformations, the key space is more than sufficient.
--
J Greely (jgreely at cis.ohio-state.edu; osu-cis!jgreely)
Unseen, in the background, Fate was quietly slipping the lead
into the boxing glove.
More information about the Comp.unix.wizards
mailing list